Nancy Bartels driving the blogging machine here this morning. I am not by nature an alarmist, and I tend to ignore headlines that say (or imply) "OMG, we're all going to die!" On the other hand, when you smell smoke in the kitchen for longer than a couple of minutes, it can't hurt to assume something more than the toast is burning. Which brings us to this link from Dark Reading.

SCADA Cyber Security Problems - Just How Common are the Programming Errors?

The discovery of SCADA-security issues by Luigi Auriemma and Siemens PLC weaknesses by NSSLabs this year is interesting from a software-engineering point of view. Having been active in the development of industrial controllers, embedded devices, PLCs and machines, I have experienced the other end of the cyber security problem - not how vulnerabilities must be stopped, but the ease with how they are created.

The CIPAG Metrics Workgroup for Water was convened by the Water Sector Coordinating Council and Government Coordinating Council to develop a national performance measurement system for the water sector. Consequently, they issued “Recommendations of the CIPAC Metrics Work Group for Water” dated June 2008. It is an extremely disappointing document. The document itself is 76 pages. The term “SCADA” is used 3 times.

The following is an ad from Digital Bond's website. It is the second time they have advertised for control system expertise AFTER obtaining a DHS or DOE contract.

"Digital Bond is still hiring security researchers to help with Bandolier, Portaledge and Quickdraw. We have one need that is proving difficult to find: a controller wizard.

"Various aspects of the projects require us to have multiple PLC’s, RTU’s and IED’s from different vendors in our lab. We have Rockwell Automation, ...

so am I, ...and I’ll be blogging about it for the next couple of days, but I’ll be simul-blogging on SoundOff as well.

The over 100 attendees of the conference heard a video keynote from Congressman James Langevin, (D) Rhode Island. Congressman Langevin urged the attendees to take back to their CEOs and managers his message: cybersecurity is an important issue and must be treated that way. “I hope that we can all get our egos out of the way and work together on this,” he said.

Ironically, as C...

San Francisco and SCADA

Jake Brodsky brought up the following, "Do management and law enforcement types have any clue as to how one might regain control of a SCADA system after a rogue employee has secured everyone out of it?"

I had planned on saying something at the Conference next week but I will bring up now.

There are two aspects of the Terry Childs’ situation, the San Francisco IT Administrator who locked out his Department from the City WAN, that have interesting implications for SCADA/...

Bandolier: Is half way there good enough?

I want to specifically respond to Ralph Langer’s comments from my blog post on Severity Levels.

Ralph posted, “While I agree in general that severity cannot be established without context, experience tells me that such context can hardly be established by any kind of automated software tool. Even worse, many asset owners don't have any realistic idea, not to say methodology, of calculating the cost of potential cyber incidents. Wit...

We have a problem.  We have efforts at all levels to secure industrial
control systems, but there isn't much coordination.  Some efforts are
falling by the wayside.  The Roadmaps for energy and water are mostly
taking top-down approaches.  There are approaches in the middle such as
the ISA-99, and going further toward the technical side, Secure
Authentication for DNP and the AGA-12 effort.

However, I know of nearly nothing taking place at the bottom.  There are
training courses from DHS aimed a...

I had a meeting Wednesday morning with an IEEE standards committee on cyber security of substation devices. Following that, Marshall Abrams from MITRE and I gave a presentation at RSA, which is billed as the world’s largest cyber security conference. I then gave a presentation at a major control system users’ group meeting. There were several other presentations at RSA on the subject of “SCADA security.” In one of the panel sessions, there was a discussion about media hype and how it is hurting ...